Trust & Security

Accounts use email/password and Google sign-in via the platform's managed authentication service. Sessions are stored in your browser and revoked on sign-out. Sensitive pages require a signed-in session before they render.

Role assignment (admin / user) is stored in a dedicated server table and enforced server-side. Privileged actions verify the caller's role on every request — client claims alone are never trusted.

We collect only what the product needs: account identity (email, display name), trading preferences and bot settings you configure, linked wallet addresses, and operational logs for the auto-trader and email queue.

Your data is used to operate features you enable. We do not sell personal data. We do not run third-party advertising trackers on authenticated pages.

Every user-data table has row-level security enabled. Policies restrict reads and writes to the owning user via auth.uid(). Admin maintenance paths run server-side only and verify roles before touching data.

Exchange API keys (e.g. Bybit) are encrypted with AES-GCM using a server-only encryption key before being written to the database. Decryption only happens inside server functions when executing a trade or balance read on your behalf.

We recommend keys be created with withdrawal disabled and restricted to trading scopes. Wallet connections use Reown / WalletConnect — KingsCTDMM never receives your private keys or seed phrase.

The application runs on Lovable's edge runtime. All traffic is served over HTTPS/TLS. Server-only secrets (encryption keys, service-role keys, third-party API credentials) are stored in the platform's secret manager and are never exposed to the browser.

Transactional and authentication emails are sent from ctdmm.com via the platform's managed email infrastructure. Bounces and complaints are recorded and suppressed automatically. Every marketing-style email includes a one-click unsubscribe link backed by a cryptographically random token validated server-side.

We use first-party cookies and browser local storage only for what's required to operate the app: keeping you signed in, remembering your selected theme, and persisting UI preferences. No cross-site advertising cookies are set by us.

KingsCTDMM relies on a small set of subprocessors:

• Lovable Cloud — hosting, database, authentication, email
• Google — optional sign-in provider
• Bybit — only when you connect your own API keys
• Reown / WalletConnect — wallet connections

Connecting an exchange or wallet is opt-in. You can revoke any integration at any time from your account.

Account data is retained while your account is active. To request deletion, export, or correction of your personal data, contact privacy@ctdmm.com. We aim to respond within 30 days.

Report suspected vulnerabilities to security@ctdmm.com. Please give us a reasonable window to investigate and remediate before public disclosure. We do not pursue legal action against good-faith research conducted within these guidelines.

KingsCTDMM is software for educational and informational use. It is not a regulated financial product and we make no claim of SOC 2, ISO 27001, PCI DSS, HIPAA, or other certifications. Trading involves substantial risk — see our Risk Disclosure.